Acceptance of Extraneous Untrusted Data With Trusted Data Affecting cryptsetup-libs package, versions <0:2.3.3-4.el8_5.1


0.0
medium

Snyk CVSS

    Attack Complexity Low
    User Interaction Required
    Confidentiality High
    Integrity High
Expand this section
NVD
4.3 medium
Expand this section
SUSE
5.9 medium
Expand this section
Red Hat
5.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-CENTOS8-CRYPTSETUPLIBS-2340931
  • published 14 Jan 2022
  • disclosed 13 Jan 2022

How to fix?

Upgrade Centos:8 cryptsetup-libs to version 0:2.3.3-4.el8_5.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cryptsetup-libs package and not the cryptsetup-libs package as distributed by Centos:8. See How to fix? for Centos:8 relevant fixed versions and status.

It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.